coffee with carol - what's new in ibm i security in v7r3 and v7r2
TRANSCRIPT
6/8/2016
helpsystems.com/professional-security-services 1
© HelpSystems 1
What’s New in IBM i Security
in V7R2 and V7R3
Carol WoodburyVP of Global Security
Services
Scott ForstieBusiness Architect
DB2 for IBM i
HelpSystems LLC. All rights reserved.
• *PTFOBJ – Changes to PTF objects during PTF operations
• *PTFOPR – PTF operations – such as load, apply or removal of a PTF
New QAUDLVL values in V7R2
6/8/2016
helpsystems.com/professional-security-services 2
HelpSystems LLC. All rights reserved.
• AD—Auditing value changes
• AU—Attribute changes
• CA—Authority changes
• CP—User profile changes (Note: only the previous special authority values have been added)
• DI—Directory server
• GR—Generic record (added changes to the function usage (Application Administration) settings)
• PA—Program adopt
• PG—Primary group changes
• RA—Restore object authority changes (added the name of the authorization list)
• RJ—Restore job description (added name that had been specified in the job description)
• RO—Ownership changes for restored objects
• RZ—Primary group changes for restored objects
“Before” values added to these audit entries
HelpSystems LLC. All rights reserved.
• TLS version 1.1 (TLSv1.1) and 1.2(TLSv1.2) are now available by default
• Online Certificate Status Protocol (OCSP) is now supported. This is a method for
determining when a digital certificate has been revoked
• DCM now supports the ability to assign multiple certificates to a server
– Up to 4 in V7R3
• Services using the AES and SHA-2 algorithms such as the crypto services APIs, software
tape encryption and system-supplied SSL and VPN connections will see a performance gain
on POWER8 hardware.
Other enhancements
6/8/2016
helpsystems.com/professional-security-services 3
HelpSystems LLC. All rights reserved.
• *MAXLENnnn
• *MINLENnnn
• *MIXCASEnnn
• *REQANY3
• *SPCCHRLMTAJC
• *SPCCHRLMTFST
• *SPCCHRLMTLST
• *SPCCHRMAXn
• *SPCCHRMINn
V7R2• *ALLCRTCHG
– password rules apply even when running CRT/CHGUSRPRF
QPWDRULES- V6R1
*PWDSYSVAL or
• *CHRLMTAJC
• *CHRLMTREP
• *DGTLMTAJC
• *DGTLMTFST
• *DGTLMTLST
• *DGTMAXn
• *DGTMINn
• *LMTSAMPOS
• *LMTPRFNAME
• *LTRLMTAJC
• *LTRLMTFST
• *LTRLMTLST
• *LTRMAXn
• *LTRMINn
UP NEXT...
V7R3
6/8/2016
helpsystems.com/professional-security-services 4
HelpSystems LLC. All rights reserved.
•CP – contains all user profile attributes except TEXT and AUT (*PUBLIC authority) for both
create and changes to a user profile
•QAUDLVL
–*NETSECURE (to audit secure network connections)
–*NETTELSVR (to audit telnet connections)
–*NETUDP (to audit UDP connections)
–*NETSCK is no longer considered a subset of *NETCMN
V7R3 auditing enhancements
HelpSystems LLC. All rights reserved.
• By user, collects the objects (programs, files, etc) that are accessed along with:
– Current authority
– Source of the authority
– Specific authority required by the Operating System
Authority Collection
6/8/2016
helpsystems.com/professional-security-services 5
HelpSystems LLC. All rights reserved.
Start Authority Collection (STRAUTCOL)
HelpSystems LLC. All rights reserved.
Querying the collection
6/8/2016
helpsystems.com/professional-security-services 6
HelpSystems LLC. All rights reserved.
• Run a query before rolling out a new security implementation to your entire user base and ensure your
test users have all the authority required to run the application and that it’s coming from the source you
intended.
• Determine which application objects (especially *FILE objects) can have their authority immediately set
to a more restricted authority setting, without fear that the application will stop working.
• Determine the exact authority required to work with IFS objects prior to implementing a new FTP
process or ODBC connection on production.
• Determine the authority required for service accounts to work with database files. Simply turn on the
authority collection for the service account, examine the entries, and determine the authority required.
Undoubtedly it will not require *ALLOBJ!
• Use the authority-required fields to prove to developers and application providers that *ALL authority is
not required
Ways to use the Authority Collection
HelpSystems LLC. All rights reserved.
• You must have either *ALLOBJ special authority or be authorized to the Database
Security Administrator function (QIBM_DB_SECADM) to start the collection. You can
administer this function via Application Administration (which is available as part of
Navigator for i) or the Work with Function Usage (WRKFCNUSG) command.
• Limit User Function (Application Administration) settings are not recorded.
• For those features where authority to an object plus some special authority is required,
the special authority requirement is not recorded.
• To display whether a collection is active and/or an authority collection repository exists
for a user, run the DSPUSRPRF (Display User Profile) command and scroll to the end of
the display.
• While a user’s collection setting is saved when running the SAVSECDTA (Save Security
Data) command, the actual collection data is not.
• If an authority collection exists and the profile is deleted, its authority collection is also
deleted.
• If you specify to collect authority for all objects in all libraries, some objects, such as
operating system programs are omitted from the collection; however, objects, such as
IBM-supplied commands will be included in the collection data
• See Chapter 10 of the IBM i Security Reference manual for more details.
Authority Collection – more considerations
6/8/2016
helpsystems.com/professional-security-services 7
HelpSystems LLC. All rights reserved.
• IBM i Security Administration and Compliance, 2nd edition
– www.mc-store.com/5129.html
• Technical updates
– www.ibm.com/developerworks/ibmi/techupdates
• IBM i Information Center
– http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i/welcome
• Security Reference manual
– Chapter 9 – Auditing
– Chapter 10 – Authority Collection
For more information
© HelpSystems 14
Questions?
www.helpsystems.com
www.helpsystems.com/professional-security-services
800-328-1000 | [email protected]